Resubmissions
14/02/2025, 03:19
250214-dt85hazpgj 815/07/2024, 12:22
240715-pj7dpszhrl 814/07/2024, 17:11
240714-vqpp5asckh 814/07/2024, 17:07
240714-vmz2pasbjb 1014/07/2024, 16:55
240714-ve3gvaygnq 801/05/2024, 09:05
240501-k2a11abe8v 1024/03/2023, 19:33
230324-x9t53aba7y 10Analysis
-
max time kernel
599s -
max time network
580s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/05/2024, 09:05
Static task
static1
Behavioral task
behavioral1
Sample
Replace.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Replace.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Replace.exe
Resource
win11-20240419-en
General
-
Target
Replace.exe
-
Size
34.8MB
-
MD5
fd5cd14325c51ecab6a57d1d665f8852
-
SHA1
ea16aa0f197210437733c63a42a8f1dd6442d753
-
SHA256
d433cd0ba6b6850a9f616b3b89754a005699547d4e04fadb75cade770156cfd1
-
SHA512
9a2e4c8baa01fbafe6968905daeb8d3b7eb62c09d1d7584e973ad1c23d964093e161a51a7390dfaa598d2657f45ca17bf00b5055aeaf0441f875ddb364741d71
-
SSDEEP
786432:i9hj60qHOBbQcVM3sct6C2ubdsUeGXV4yQnb+LQgRkrm12PYfrB:i9kH+o5sG2ysbhrmka
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\"" wns4E40.tmp Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\"" cleaner.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wns4E40.tmp Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\InetHelper = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\"" wns4E40.tmp -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 3596 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 3980 run.exe 3156 wns4E40.tmp 1308 cleaner.exe 1988 node.exe -
Loads dropped DLL 1 IoCs
pid Process 3596 rundll32.exe -
resource yara_rule behavioral3/files/0x001900000002ab13-26.dat upx behavioral3/memory/1988-27-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-33-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-36-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-38-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-40-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-43-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-46-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-50-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-53-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-57-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-61-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-64-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-65-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-68-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-71-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-74-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-78-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-82-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-85-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-86-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-89-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-92-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-95-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-99-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-102-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-106-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-110-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-113-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-117-0x0000000000400000-0x0000000001F1A000-memory.dmp upx behavioral3/memory/1988-120-0x0000000000400000-0x0000000001F1A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc3F99.tmp\",Start verpostfix=bt" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\InetHelper = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\"" wns4E40.tmp Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\InetHelper = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\"" cleaner.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll run.exe File opened for modification C:\Program Files\Image-Line run.exe File opened for modification C:\Program Files\Image-Line\FL Studio 20 run.exe File created C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240600078 run.exe File created C:\Program Files\Image-Line\FL Studio 20\FL64.exe run.exe File opened for modification C:\Program Files\Image-Line\FL Studio 20\FL64.exe run.exe File created C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll run.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3596 rundll32.exe 3596 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1364 wmic.exe Token: SeSecurityPrivilege 1364 wmic.exe Token: SeTakeOwnershipPrivilege 1364 wmic.exe Token: SeLoadDriverPrivilege 1364 wmic.exe Token: SeSystemProfilePrivilege 1364 wmic.exe Token: SeSystemtimePrivilege 1364 wmic.exe Token: SeProfSingleProcessPrivilege 1364 wmic.exe Token: SeIncBasePriorityPrivilege 1364 wmic.exe Token: SeCreatePagefilePrivilege 1364 wmic.exe Token: SeBackupPrivilege 1364 wmic.exe Token: SeRestorePrivilege 1364 wmic.exe Token: SeShutdownPrivilege 1364 wmic.exe Token: SeDebugPrivilege 1364 wmic.exe Token: SeSystemEnvironmentPrivilege 1364 wmic.exe Token: SeRemoteShutdownPrivilege 1364 wmic.exe Token: SeUndockPrivilege 1364 wmic.exe Token: SeManageVolumePrivilege 1364 wmic.exe Token: 33 1364 wmic.exe Token: 34 1364 wmic.exe Token: 35 1364 wmic.exe Token: 36 1364 wmic.exe Token: SeIncreaseQuotaPrivilege 1364 wmic.exe Token: SeSecurityPrivilege 1364 wmic.exe Token: SeTakeOwnershipPrivilege 1364 wmic.exe Token: SeLoadDriverPrivilege 1364 wmic.exe Token: SeSystemProfilePrivilege 1364 wmic.exe Token: SeSystemtimePrivilege 1364 wmic.exe Token: SeProfSingleProcessPrivilege 1364 wmic.exe Token: SeIncBasePriorityPrivilege 1364 wmic.exe Token: SeCreatePagefilePrivilege 1364 wmic.exe Token: SeBackupPrivilege 1364 wmic.exe Token: SeRestorePrivilege 1364 wmic.exe Token: SeShutdownPrivilege 1364 wmic.exe Token: SeDebugPrivilege 1364 wmic.exe Token: SeSystemEnvironmentPrivilege 1364 wmic.exe Token: SeRemoteShutdownPrivilege 1364 wmic.exe Token: SeUndockPrivilege 1364 wmic.exe Token: SeManageVolumePrivilege 1364 wmic.exe Token: 33 1364 wmic.exe Token: 34 1364 wmic.exe Token: 35 1364 wmic.exe Token: 36 1364 wmic.exe Token: SeIncreaseQuotaPrivilege 2108 wmic.exe Token: SeSecurityPrivilege 2108 wmic.exe Token: SeTakeOwnershipPrivilege 2108 wmic.exe Token: SeLoadDriverPrivilege 2108 wmic.exe Token: SeSystemProfilePrivilege 2108 wmic.exe Token: SeSystemtimePrivilege 2108 wmic.exe Token: SeProfSingleProcessPrivilege 2108 wmic.exe Token: SeIncBasePriorityPrivilege 2108 wmic.exe Token: SeCreatePagefilePrivilege 2108 wmic.exe Token: SeBackupPrivilege 2108 wmic.exe Token: SeRestorePrivilege 2108 wmic.exe Token: SeShutdownPrivilege 2108 wmic.exe Token: SeDebugPrivilege 2108 wmic.exe Token: SeSystemEnvironmentPrivilege 2108 wmic.exe Token: SeRemoteShutdownPrivilege 2108 wmic.exe Token: SeUndockPrivilege 2108 wmic.exe Token: SeManageVolumePrivilege 2108 wmic.exe Token: 33 2108 wmic.exe Token: 34 2108 wmic.exe Token: 35 2108 wmic.exe Token: 36 2108 wmic.exe Token: SeIncreaseQuotaPrivilege 2108 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 3596 2228 Replace.exe 80 PID 2228 wrote to memory of 3596 2228 Replace.exe 80 PID 2228 wrote to memory of 3596 2228 Replace.exe 80 PID 2228 wrote to memory of 3980 2228 Replace.exe 81 PID 2228 wrote to memory of 3980 2228 Replace.exe 81 PID 3596 wrote to memory of 3156 3596 rundll32.exe 83 PID 3596 wrote to memory of 3156 3596 rundll32.exe 83 PID 3596 wrote to memory of 3156 3596 rundll32.exe 83 PID 3156 wrote to memory of 1308 3156 wns4E40.tmp 84 PID 3156 wrote to memory of 1308 3156 wns4E40.tmp 84 PID 3156 wrote to memory of 1308 3156 wns4E40.tmp 84 PID 1308 wrote to memory of 1988 1308 cleaner.exe 85 PID 1308 wrote to memory of 1988 1308 cleaner.exe 85 PID 1308 wrote to memory of 1988 1308 cleaner.exe 85 PID 1988 wrote to memory of 1364 1988 node.exe 86 PID 1988 wrote to memory of 1364 1988 node.exe 86 PID 1988 wrote to memory of 1364 1988 node.exe 86 PID 1988 wrote to memory of 2108 1988 node.exe 89 PID 1988 wrote to memory of 2108 1988 node.exe 89 PID 1988 wrote to memory of 2108 1988 node.exe 89 PID 1988 wrote to memory of 3512 1988 node.exe 91 PID 1988 wrote to memory of 3512 1988 node.exe 91 PID 1988 wrote to memory of 3512 1988 node.exe 91 PID 1988 wrote to memory of 5108 1988 node.exe 93 PID 1988 wrote to memory of 5108 1988 node.exe 93 PID 1988 wrote to memory of 5108 1988 node.exe 93 PID 1988 wrote to memory of 2788 1988 node.exe 95 PID 1988 wrote to memory of 2788 1988 node.exe 95 PID 1988 wrote to memory of 2788 1988 node.exe 95 PID 1988 wrote to memory of 4648 1988 node.exe 97 PID 1988 wrote to memory of 4648 1988 node.exe 97 PID 1988 wrote to memory of 4648 1988 node.exe 97 PID 1988 wrote to memory of 2852 1988 node.exe 99 PID 1988 wrote to memory of 2852 1988 node.exe 99 PID 1988 wrote to memory of 2852 1988 node.exe 99 PID 1988 wrote to memory of 1036 1988 node.exe 101 PID 1988 wrote to memory of 1036 1988 node.exe 101 PID 1988 wrote to memory of 1036 1988 node.exe 101 PID 1988 wrote to memory of 4976 1988 node.exe 103 PID 1988 wrote to memory of 4976 1988 node.exe 103 PID 1988 wrote to memory of 4976 1988 node.exe 103 PID 1988 wrote to memory of 2904 1988 node.exe 105 PID 1988 wrote to memory of 2904 1988 node.exe 105 PID 1988 wrote to memory of 2904 1988 node.exe 105 PID 1988 wrote to memory of 2348 1988 node.exe 107 PID 1988 wrote to memory of 2348 1988 node.exe 107 PID 1988 wrote to memory of 2348 1988 node.exe 107 PID 1988 wrote to memory of 1616 1988 node.exe 109 PID 1988 wrote to memory of 1616 1988 node.exe 109 PID 1988 wrote to memory of 1616 1988 node.exe 109 PID 1988 wrote to memory of 4964 1988 node.exe 111 PID 1988 wrote to memory of 4964 1988 node.exe 111 PID 1988 wrote to memory of 4964 1988 node.exe 111 PID 1988 wrote to memory of 4820 1988 node.exe 113 PID 1988 wrote to memory of 4820 1988 node.exe 113 PID 1988 wrote to memory of 4820 1988 node.exe 113 PID 1988 wrote to memory of 2920 1988 node.exe 115 PID 1988 wrote to memory of 2920 1988 node.exe 115 PID 1988 wrote to memory of 2920 1988 node.exe 115 PID 1988 wrote to memory of 2316 1988 node.exe 117 PID 1988 wrote to memory of 2316 1988 node.exe 117 PID 1988 wrote to memory of 2316 1988 node.exe 117 PID 1988 wrote to memory of 3108 1988 node.exe 119 PID 1988 wrote to memory of 3108 1988 node.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\Replace.exe"C:\Users\Admin\AppData\Local\Temp\Replace.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\wsc3F99.tmp",Start verpostfix=bt2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\wns4E40.tmpwscsu.exe /S /VERPOSTFIX=bt3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\service.js"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:3512
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:5108
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:2788
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:4648
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:2852
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:1036
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:4976
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:2904
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:2348
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:1616
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:4964
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:4820
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:2920
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:2316
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:3108
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:688
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:3584
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:1664
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:1044
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:3860
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:4612
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:4628
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:840
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:1144
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:1596
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:2100
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:3580
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:240
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:4532
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:3904
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:3740
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:960
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:4720
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:2424
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:3496
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:396
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:3772
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:464
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:3304
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:3572
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:1724
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:4668
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:1612
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:5072
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:2872
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:2068
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:2904
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:3744
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵PID:704
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵PID:1976
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4B892217\run.exe.\run.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5e9ded10dff258f6522fe9079ed3319ca
SHA1b0127ea7675f6359bfa80a7bf6282bd1c989b405
SHA256ea1d61984ede5908e0840e91a71bb127efd62d836c1f76702b426fd79b57f780
SHA512d95482d3cf50b37e999e3f91377bd41a215f3f0c55c9f3e47fc9c563b9cd3f5c5ee945878889a8147b9f089005826ce81398172395d0107dc14eb8fefc0d36de
-
Filesize
6.6MB
MD55f40521d2e1082fe1c734610c4a83911
SHA186d54874cc8976cdb75a9dc8dcd817af50837796
SHA25679ac7ae94231a392d27f303418e305a60c4194dbbe143c5deffc977c7b2e7a78
SHA512ef2b54b46844cfb13cfdef6271e2a8b4e646d2e31ca55229e5c76ca90c649895533bc8fb83c4d50dd3721abb2a5e4c5ee32df5c4540e1c14498a5e9b550d3189
-
Filesize
186KB
MD542fb0fa52c2e0bbbdf379c1aba97d12e
SHA1164c4639d99a7dcfacf29da930ca4dfef3621a11
SHA2563db6ffa48cae2dbdc68f9bf5ee75ba5b7abd4f923c5fc6741477916957909071
SHA512b9e96ba85508bb44f49dbf92185157db149fab2a6245a2d39ce49da5ae14617928f44cf8ee2bcb8c9dd4060082cc4b2b84ea6ff7659ce15caa8d9da02c46c936
-
Filesize
2B
MD56920626369b1f05844f5e3d6f93b5f6e
SHA1edfb92a5be2a31a47d117f6c1530e1cebe1b4963
SHA2565e73d6d7edd38daeae9f10721987e301e4d4b5421e88eb17063ac5a41b168273
SHA5120b307a2eca21778e3fca2d855f0e12ff10726fe276bedbf70b40e10f21de839922384d494b67d65a21d4fa15d8642a84b6c39b15ab7e91f3b9555a53ece4f882
-
Filesize
34.8MB
MD5d77c3ef3efa7e38ef91137466eee801b
SHA10b6ce4b03f43c2a7290f95bfbbe9107298efeaef
SHA25691c2295f354b0616aa6481708248f6ce35dbe9292901464fc6bf3a22522ccb2f
SHA5127c0171509814f7e5f24b2a9d53a10ab282586ec56bcdedc2deb2ba1aa2b4d9edade6d6d753ca80fb65d147597bfd4ac9f30e330e88c695e72c913ff3ab224750
-
Filesize
6.7MB
MD57a506a2e92bc66a9f64c2333a815e97a
SHA1a123f6c070f4258c481cb0b6c2b5d1403463e2fa
SHA256c9daca7de1b623867aee943a1d508573841f2584ffa91aaaf09de2a883d2733f
SHA5128bdec3839ca8e0c72dcb76455ad1585264dcef4150d90e0299b477f99590a1b98ac0bd377985ac2e8e2c15f071588ad821650fc200e0f65ec4583f3f82582e30
-
Filesize
6KB
MD541e689a7859429d628c34a82bcbb1187
SHA1f435c4225fc00b3ce4543b812731a65d3722bdc3
SHA256252dd587c652e9939432bd8b5574590c4a8db64660bc753f5490a472703f5c3a
SHA5126a8f76f4d2eeb78df1c48f43c8d31f4510f2ba8da71fbb93d88627eba5f4cc74eb9aa12b7688d7fb62ed938fe2ac15bd2c060d6ad90e5b2c61114f74fcecec85